Gustuff Android malware targets 100 + banking and 32 crypto – monetary applications



An unreported, advanced banking Trojan named Gustuff can steal accounts from over 100 banks worldwide and rob users of 32 Android cryptocurrency apps.

A monthly subscription of $800 was identified as a threat and first discovered in April 2018. Your developer promotes AndyBot malware as an upgraded variant whose activity has been tracked since 2017.

The malware includes code for top world banks including Bank of America, Bank of Scotland, J.P. Morgan, Wells Fargo, Capital One, TD Bank and PNC Bank.

It also searches for cryptocurrency wallet applications such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase services, and more. Group-IB researchers specialized in cyberattack prevention have noticed that the code of Gustuff lists applications from banks across the US (27), Poland (16), Australia (10), Germany (9), and India (8).

Other types of apps, however, have interest: places on the market, online shops, payment systems and messaging solutions. The malware uses relatively rare tactics to access and change text fields automatically in targeted applications, for example PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut Gustuff and Google Protect.

Gustuff uses Android Accessibility to interact with displays from other apps on compromised devices. This feature, which is designed to help people with disabilities use Android devices and apps, is not the first threat. In this case, the aim is to bypass protections against older generations of banking trojans as well as Google’s security policy in later Android versions.

Group-IB states that one of the malware features is to turn off Google Play Protect, the built-in anti-malware protection on Android (https:/www.android.com/play-protect). Driven by machine learning algorithms, the default defense of Google scans the device automatically to make sure it has the most advanced security measures.

Despite that, the developer of Gustuff claims that their code could successfully reduce the defense of Google in 70 percent of cases. Built for massive propagation and maximum efficiency Gustuff spreads to other mobile devices by reading a contact list and sending messages to its APK installation file via a link.



A database on the C2 server is also being used to distribute the malware, the researchers note today in a report. Including’ sending the infected device information to the C&C server, reading / sending SMS messages, sending USSD requests, launching theSOCKS5 Proxy, following the links, transferring the files (including document scans, screenshots, photos) to the C&C server and resetting a device in factory settings,’ says Group-Ib.

Another feature is to display fake push notifications with icons from legible apps. One aim is to steal account credentials by displaying a false login page downloaded from the server of the attacker. Another objective is to force the victim into the real account so that the malware can carry out its auto-fill routine in payment areas and start unauthorized transactions.

Gustuff is a Russian-speaking cybercriminal operation, but its operations are primarily foreign to the country, something that is specific to all new Android trojans traded in underground forums. With the arrests of owners of some of Android’s largest botnets, Russia experienced a significant decrease in cyber theft.

“Some hackers ‘ patch’ and use the trojan samples in their attacks against users in Russia,” says Rustam Mirkasymov, head of the Group-IB Dynamic Analysis Department.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.